Global ransomware attacks dipped 8% in February to 635 incidents compared to the previous month and 1,099 attacks reported same time 2025. The lull in ransomware attacks signal the end of a large spike of “batch listed” attacks the Cl0p ransomware group posted online in February 2025.
According to NCC Group’s Wednesday Threat Pulse report, the lull in attacks dovetails a more worrying trend of emerging new sophisticated ransomware – namely Reynolds. First tracked by Symantec and Carbon Black Threat Hunter Team in early February, the malware is notable for its built-in Bring-YourOwn-Vulnerable-Driver (BYOVD) component.
“Although Reynolds is still in its early stages and limited information is available, its delivery method is unusual and warrants caution,” NCC Group wrote. “It shows how attackers are continuously refining techniques to bypass defensive controls and simplify execution.”
Reynolds stealth is tied to its novel implementation of the BYOVD technique that disables a target’s security protections before the ransomware payload is executed. Instead of relying on a separate tool deployed on the target system to disable security protections before the ransomware payload is executed, Reynolds integrates a vulnerable driver (NsecSoft NSecKrnl) into the primary executable.
The NSecKrnl driver contains a medium-severity vulnerability, CVE-2025-68947, which allows malicious actors to transmit specifically crafted requests to the driver before the targeted system can identify the driver security vulnerability, NCC Group wrote.
Ransomware by the Numbers
According the Threat Pulse report, of those 635 reported ransomware attacks, 31% targeted the industrials sector, which remains the hardest sector hit trailed by consumers (20%), information technology (13%), and healthcare (8%), the report states.
The most prolific ransomware strain title goes to Qilin (also known as AGENDA), responsible for 15% of all attacks. Cl0p, The Gentlemen, and Akira (also known as REDBIKE) ransomware followed as the strains behind most attacks in February.
Matt Hull, VP of Cyber Intelligence and Response at NCC Group said the February and beyond threat landscape is also being defined by rapid AI adoption across sectors is creating new security challenges.
February Threats to Spur March Breaches
“While ransomware volumes have decreased compared to both January and February last year, AI-enabled threats and an increasingly volatile landscape mean organizations must ensure their cyber resilience strategies can adapt to evolving risks,” he wrote.
As many firms see a steady uptick in the number of AI-driven workflow tools such as n8n and OpenClaw, NCC Groups warn “they introduce security risks and amplify existing ones.”
Six vulnerabilities were disclosed in n8n in February. A vulnerability in the OpenClaw AI assistant found earlier this month allowed attackers to hijack agents by tricking victims to malicious websites, Oasis Security reported.
February cyber threat activity related to Israel–Iran tensions include DDoS attacks, website defacements, inflated breach reports, and AI-driven misinformation. Despite this increase in volume, these attacks have had minimal operational impact, NCC Group said.
Birds of a Feather
Earlier this week Mandiant researchers released its’ M-Trends 2026 report which outlined key ransomware and threat trends in January and February.
Mandiant identifies two leading ransomware brands shaping the cybersecurity threat landscape, so far. Analysis of data leak site (DLS) activity demonstrates that AGENDA (also known as Qilin) and REDBIKE (also known as Akira) were the most influential ransomware-as-a-service (RaaS) entities within this timeframe, which aligns with NCC Group’s findings.
Photo by Michael Geiger on Unsplash
